HKEY_CLASSES_ROOT Permissions

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I am using Windows Vista Home Premium and have noticed that there are no
permissions set for HKEY_CLASSES_ROOT. The following message is displayed.

No permissions have been assigned for this object.

Warning: this is a potential security risk because anyone who can access
this object can take ownership of it. The object’s owner should assign
permissions as soon as possible.

I don't think this is correct and was wondering if anyone knows what
permissions should be set.
 
Mark said:
I am using Windows Vista Home Premium and have noticed that there are no
permissions set for HKEY_CLASSES_ROOT. The following message is displayed.

No permissions have been assigned for this object.

Warning: this is a potential security risk because anyone who can access
this object can take ownership of it. The object’s owner should assign
permissions as soon as possible.

I don't think this is correct and was wondering if anyone knows what
permissions should be set.

Users: read
Administrators: full control
System: full control
CREATOR OWNER: full control on subkeys only

Note that HKEY_CLASSES_ROOT is HKEY_LOCAL_MACHINE\Software\Classes and
HKEY_CURRENT_USER\Software\Classes combined together, with entries in
HKCU taking precedence.

I believe writes to this location get sent to HKLM, but not exactly sure.
 
Mark wrote:

That's possible - as JB says, HKCR is really a merging together of
HKLM..Classes and HKCU..Classes, so I can't see how one could map a
single set of permissions to it. I'd expect that to be "greyed".

That's the part that looks buggy to me...

JB (Jimmy Brush) said:
Note that HKEY_CLASSES_ROOT is HKEY_LOCAL_MACHINE\Software\Classes and
HKEY_CURRENT_USER\Software\Classes combined together, with entries in
HKCU taking precedence.
I believe writes to this location get sent to HKLM, but not exactly sure.

Ew... bad place for doubts, eh? Maybe it's like rt-clicking a flyout
in the Start Menu, that you get whichever exists. Hmm.


--------------- ---- --- -- - - - -
Saws are too hard to use.
Be easier to use!
 
cquirke said:
That's possible - as JB says, HKCR is really a merging together of
HKLM..Classes and HKCU..Classes, so I can't see how one could map a
single set of permissions to it. I'd expect that to be "greyed".

I thought that at first too, but when I check in my regedit it had
permissions set! I will see if I can dig up a real answer to the
question "does this beast really have security or does it delegate to
the backing store and what really happens when you modify a key here"
 
Mark said:
Should I replace all inheritable permissions on all descendants from this
obect?

I would not recommend doing that, as I am not sure how those security
settings would be applied.

I did dig up this information from MSDN though:

"If you write keys to a key under HKEY_CLASSES_ROOT, the system stores
the information under HKEY_LOCAL_MACHINE\Software\Classes. If you write
values to a key under HKEY_CLASSES_ROOT, and the key already exists
under HKEY_CURRENT_USER\Software\Classes, the system will store the
information there instead of under HKEY_LOCAL_MACHINE\Software\Classes."

So, creating keys always goes to HKLM. However, writing values goes to
HKCU, iff the containing key exists in HKCU; otherwise, it goes to HKLM.

It doesn't talk about security, though, so I will keep looking.

I would recommend checking the security on your
HKEY_LOCAL_MACHINE\Software\Classes and
HKEY_CURRENT_USER\Software\Classes keys to make sure they are all right.

And making sure they are not "empty".

They need different security settings, so don't apply the same security
settings to both of them.
 
Back
Top